If a Security vendor tells you that their encryption key management appliance is FIPS 140-2 level 2 validated, the standard that determines security assurance level, ask them to show you that their certificate is current. Also check if it is applicable to your firmware version, and not simply based on a crypto library inside the appliance. The appliance needs to be a fully validated hardware boundary (i.e., the full appliance chassis) to protect the key database, logs, configurations, etc. inside.

Why is FIPS important?

FIPS is an acronym for Federal Information Processing Standards. A FIPS 140-2 evaluation is currently a requirement for the sale of products implementing cryptography within the US federal government for sensitive, but not confidential data. FIPS 140-2 level 2 means the hardware appliance is tamper evident and utilizes role-based authentication. It is mandatory for US federal agencies that handle sensitive information, however it is becoming increasingly important in healthcare, legal, public safety and mobile operators.

For those running sensitive government, financial, healthcare or other industry systems that require FIPS 140-2 level 2 compliance, companies need to make sure that they are running on systems that are actually current, covered and validated. No one wants to be left in the lurch running non-compliant solutions that do not meet the federal or industry requirements that companies are under a legal obligation to follow.

Know your FIPS Terminology

Vendoraffirmed does not equal vendor validated.FIPS Ready and Designed to FIPS does not mean it’s validated either. Besides keeping the key environment certified, equipment that is CMVP validated will help neutralize security weaknesses and interoperability problems between different vendor products. To find out if your key management appliances have a current, viable validation, view this page: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm